* an_to_ln.c (krb5_aname_to_localname): Don't write one byte past

	the end of a string.  Found by Christopher Nebergall.

ticket: 2024
component: krb5-libs
version_reported: 1.3.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15895 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 14 insertions, 6 deletions

diff --git a/src/lib/krb5/os/ChangeLog b/src/lib/krb5/os/ChangeLog
index 017b9ae7e..7895b7c68 100644
--- a/src/lib/krb5/os/ChangeLog
+++ b/src/lib/krb5/os/ChangeLog
@@ -1,3 +1,8 @@
+2003-12-12  Tom Yu  <tlyu@mit.edu>
+
+	* an_to_ln.c (krb5_aname_to_localname): Don't write one byte past
+	the end of a string.  Found by Christopher Nebergall.
+
 2003-10-27  Jeffrey Altman <jaltman@mit.edu>
 
     * sendto_kdc.c: sockets must be closed with closesocket() and 
diff --git a/src/lib/krb5/os/an_to_ln.c b/src/lib/krb5/os/an_to_ln.c
index 426399e14..c42b82142 100644
--- a/src/lib/krb5/os/an_to_ln.c
+++ b/src/lib/krb5/os/an_to_ln.c
@@ -643,7 +643,7 @@ krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, const
     const char		*hierarchy[5];
     char		**mapping_values;
     int			i, nvalid;
-    char		*cp;
+    char		*cp, *s;
     char		*typep, *argp;
     unsigned int        lnsize;
 
@@ -677,11 +677,14 @@ krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, const
 
 		    /* Just use the last one. */
 		    /* Trim the value. */
-		    cp = &mapping_values[nvalid-1]
-			[strlen(mapping_values[nvalid-1])];
-		    while (isspace((int) (*cp))) cp--;
-		    cp++;
-		    *cp = '\0';
+		    s = mapping_values[nvalid-1];
+		    cp = s + strlen(s);
+		    while (cp > s) {
+			cp--;
+			if (!isspace((int)(*cp)))
+			    break;
+			*cp = '\0';
+		    }
 
 		    /* Copy out the value if there's enough room */
 		    if (strlen(mapping_values[nvalid-1])+1 <= (size_t) lnsize)